Hi Wilma,
On Fri, Mar 7, 2014 at 7:40 PM, Wilma Hermann <wilma.herm...@gmail.com>wrote: > Hi Valentin, > > > Last time I checked, my CA looked pretty real to me > Admittedly, "real" might have been the wrong word. Probably "common" > would have better described what I meant. > > > And why is that? Is Verisign's random number generator better than yours? > No, but their root certificate is shipped with every common browser > out there, even on mobile devices. > You are right. And so we put our trust in them. > > > None of the RFCs I've read about PKI don't tell me that I SHOULD NOT use > > self signed certs for production environments. > Fair enough, that's true. And when you have an environment where you > can ensure that all users have your root certificate installed, then > there's no downside of a private CA-infrastructure. But from ML's > comments I assumed that this particular OpenNebula installation is to > be opened to the public (or at least an audience where ML cannot make > sure that the root certificate is trusted by default). > If that assumption holds and you're not willing to spend a few dollars > for an uninterrupted user-experience, then I question your business > model... > I totally agree with you about the user experience and for it is worth investing a few dollars. I guess I am just frustrated that TLS fails to provide peer to peer trust. Greetings, Valentin > Greetings > Wilma > > > 2014-03-07 17:37 GMT+01:00 Valentin Bud <valentin....@gmail.com>: > > > > Hello Wilma, > > > > On Thu, Feb 6, 2014 at 6:20 PM, Wilma Hermann <wilma.herm...@gmail.com> > wrote: > >> > >> There is a really easy fix for that: Get a real certificate from a real > CA. You should not use self-signed certs for a production environment. > > > > > > And why is that? Is Verisign's random number generator better than yours? > > A real certificate from a real CA? I don't get that. Last time I > checked, my CA > > looked pretty real to me, conforming with RFC 5280. And the certificates > from the > > browser and VPNs issued by that CA are also real. > > > > None of the RFCs I've read about PKI don't tell me that I SHOULD NOT use > > self signed certs for production environments. > > > > Your business's image could suffer from a self signed cert but that's > another > > story. Technology is technology and it should work either way, be it > self signed > > or not. > > > > Best, > > Valentin > > > >> > >> Greetings > >> Wilma > >> > >> > >> 2014-02-06 ML mail <mlnos...@yahoo.com>: > >> > >>> This workaround fixes that problem yes but it is not a good workaround > especially if you want to offer opennebula to real customers. I hope > another better alternative can be found in the future but I am aware that > this is mostly a browser problem :| > >>> > >>> Regards > >>> ML > >>> > >>> > >>> > >>> On Thursday, February 6, 2014 10:56 AM, Daniel Molina < > dmol...@opennebula.org> wrote: > >>> Hi, > >>> > >>> > >>> On 5 February 2014 16:58, ML mail <mlnos...@yahoo.com> wrote: > >>> > >>> Hello, > >>> > >>> I would like to use noVNC in Sunstone over an encrypted channel (WSS). > Therefore I have generated my own SSL key and certificate which I have > added to the sunstone-server.conf configuration. The problem is that this > does not work, when I start VNC from the Sunstone web interface I get the > following error message in novnc.log: > >>> > >>> SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > >>> > >>> Does this mean I need an official SSL certificate? > >>> > >>> > >>> Please, check if the solution proposed in this thread, fixes your > problem > >>> > http://lists.opennebula.org/pipermail/users-opennebula.org/2014-February/026405.html > >>> > >>> Cheers > >>> > >>> > >>> > >>> Regards > >>> > >>> ML > >>> > >>> > >>> _______________________________________________ > >>> Users mailing list > >>> Users@lists.opennebula.org > >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org > >>> > >>> > >>> > >>> > >>> -- > >>> -- > >>> Daniel Molina > >>> Project Engineer > >>> OpenNebula - Flexible Enterprise Cloud Made Simple > >>> www.OpenNebula.org | dmol...@opennebula.org | @OpenNebula > >>> > >>> > >>> > >>> _______________________________________________ > >>> Users mailing list > >>> Users@lists.opennebula.org > >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org > >>> > >> > >> > >> _______________________________________________ > >> Users mailing list > >> Users@lists.opennebula.org > >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org > >> > > > > > > > > -- > > Valentin Bud > > http://databus.pro | valen...@databus.pro > -- Valentin Bud http://databus.pro | valen...@databus.pro
_______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org